Uploaded image for project: 'Bamboo Data Center'
  1. Bamboo Data Center
  2. BAM-21267

Bamboo for Windows uses a version of Git LFS vulnerable to remote code execution (CVE-2021-21237)

XMLWordPrintable

    • 9.1
    • Critical
    • CVE-2021-21237

      Git LFS is vulnerable to remote code execution on Windows (CVE-2021-21237):

      On Windows, if Git LFS operates on a malicious repository with a git.bat or git.exe file in the current directory, that program would be executed, permitting the attacker to execute arbitrary code. This does not affect Unix systems.

      This is the result of an incomplete fix for CVE-2020-27955.

      This issue occurs because on Windows, Go includes (and prefers) the current directory when the name of a command run does not contain a directory separator.

      Fix contains only changes to Windows AMIs used by Bamboo Elastic agents

              Unassigned Unassigned
              security-metrics-bot Security Metrics Bot
              Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

                Created:
                Updated:
                Resolved: